Hi all, I'm having a stability problem with winbind when I try to resolve NT groups. Allow me to explain my application: I've got a Mandrake 8.1 box running Samba 2.2.3a (downloaded and compiled myself) and Apache 1.3. I'm building a web application for use within our company that needs to be accessible ONLY to users in certain NT groups. To do this, I'm authenticating in 2 parts: - First I use the perl module Apache-AuthenNTLM to check that the user is a valid user in our domain and the password is correct. - Then I use Apache-AuthzPasswd (a bit modified) which uses the getgrgid() call to get the list of all users in a certain group. This works because I have Winbind set up so I can resolve my NT groups on the linux box. The problem I have is that Winbind seems to misbehave in about 10% of all requests. What I have is either - The list of users in a group is incomplete - I get a "Group does not exist" error code back This phenomenon is the same when -- in a unix shell -- I do "id DOM_User" (I've got my Winbind separator set to _). AND when I get this issue for a specific user, then it stays that way for that user until I restart Winbindd... I've tried fiddling with "winbind cache time, winbind enum groups and winbind enum users" which seems to affect the issue somewhat, but never to a point that it's completely resolved. (Eg. setting 'winbind enum groups = no' makes that it doesn't work in 90%?of the cases) Any help would be greatly appreciated! Regards, Peter ************************************************************************ The information in this email is confidential and is intended solely for the addressee(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, please notify the sender of this email immediately. You should not copy, use or disseminate the information contained in the email. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Capco. http://www.capco.com ***********************************************************************
Hi! I have winbind on a Mandrake 8.2 computer with samba-2.2.3a installed with urpmi, precompiled. I also addeded winbind via urpmi. On my computer this setup has not caused me any unstability. I use the machine for logging on to a w2k domain with ssh. Regards Stian B. Barmen -----Original Message----- From: samba-admin@lists.samba.org [mailto:samba-admin@lists.samba.org] On Behalf Of Vanderborght Peter Sent: 25. april 2002 13:04 To: SAMBA LIST (E-mail) Subject: [Samba] Apache, Winbind and NT Domain Groups Hi all, I'm having a stability problem with winbind when I try to resolve NT groups. Allow me to explain my application: I've got a Mandrake 8.1 box running Samba 2.2.3a (downloaded and compiled myself) and Apache 1.3. I'm building a web application for use within our company that needs to be accessible ONLY to users in certain NT groups. To do this, I'm authenticating in 2 parts: - First I use the perl module Apache-AuthenNTLM to check that the user is a valid user in our domain and the password is correct. - Then I use Apache-AuthzPasswd (a bit modified) which uses the getgrgid() call to get the list of all users in a certain group. This works because I have Winbind set up so I can resolve my NT groups on the linux box. The problem I have is that Winbind seems to misbehave in about 10% of all requests. What I have is either - The list of users in a group is incomplete - I get a "Group does not exist" error code back This phenomenon is the same when -- in a unix shell -- I do "id DOM_User" (I've got my Winbind separator set to _). AND when I get this issue for a specific user, then it stays that way for that user until I restart Winbindd... I've tried fiddling with "winbind cache time, winbind enum groups and winbind enum users" which seems to affect the issue somewhat, but never to a point that it's completely resolved. (Eg. setting 'winbind enum groups = no' makes that it doesn't work in 90%?of the cases) Any help would be greatly appreciated! Regards, Peter ************************************************************************ The information in this email is confidential and is intended solely for the addressee(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, please notify the sender of this email immediately. You should not copy, use or disseminate the information contained in the email. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Capco. http://www.capco.com *********************************************************************** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Strange, 'cause here it's really not behaving like it should. -----Original Message----- From: Stian B. Barmen [mailto:stian@barmen.nu] Sent: Thursday, April 25, 2002 1:27 PM To: 'Vanderborght Peter'; 'SAMBA LIST (E-mail)' Subject: RE: [Samba] Apache, Winbind and NT Domain Groups Hi! I have winbind on a Mandrake 8.2 computer with samba-2.2.3a installed with urpmi, precompiled. I also addeded winbind via urpmi. On my computer this setup has not caused me any unstability. I use the machine for logging on to a w2k domain with ssh. Regards Stian B. Barmen -----Original Message----- From: samba-admin@lists.samba.org [mailto:samba-admin@lists.samba.org] On Behalf Of Vanderborght Peter Sent: 25. april 2002 13:04 To: SAMBA LIST (E-mail) Subject: [Samba] Apache, Winbind and NT Domain Groups Hi all, I'm having a stability problem with winbind when I try to resolve NT groups. Allow me to explain my application: I've got a Mandrake 8.1 box running Samba 2.2.3a (downloaded and compiled myself) and Apache 1.3. I'm building a web application for use within our company that needs to be accessible ONLY to users in certain NT groups. To do this, I'm authenticating in 2 parts: - First I use the perl module Apache-AuthenNTLM to check that the user is a valid user in our domain and the password is correct. - Then I use Apache-AuthzPasswd (a bit modified) which uses the getgrgid() call to get the list of all users in a certain group. This works because I have Winbind set up so I can resolve my NT groups on the linux box. The problem I have is that Winbind seems to misbehave in about 10% of all requests. What I have is either - The list of users in a group is incomplete - I get a "Group does not exist" error code back This phenomenon is the same when -- in a unix shell -- I do "id DOM_User" (I've got my Winbind separator set to _). AND when I get this issue for a specific user, then it stays that way for that user until I restart Winbindd... I've tried fiddling with "winbind cache time, winbind enum groups and winbind enum users" which seems to affect the issue somewhat, but never to a point that it's completely resolved. (Eg. setting 'winbind enum groups = no' makes that it doesn't work in 90%?of the cases) Any help would be greatly appreciated! Regards, Peter ************************************************************************ The information in this email is confidential and is intended solely for the addressee(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, please notify the sender of this email immediately. You should not copy, use or disseminate the information contained in the email. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Capco. http://www.capco.com *********************************************************************** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba ************************************************************************ The information in this email is confidential and is intended solely for the addressee(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, please notify the sender of this email immediately. You should not copy, use or disseminate the information contained in the email. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Capco. http://www.capco.com ***********************************************************************